Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

extraneous HTML error document on stepup authentication in Apache 2.4 / Centos 7 #484

Closed
zandbelt opened this issue Aug 21, 2020 · 1 comment
Closed

extraneous HTML error document on stepup authentication in Apache 2.4 / Centos 7 #484

zandbelt opened this issue Aug 21, 2020 · 1 comment

Comments

@zandbelt
Copy link
Member

There are three problems on the authorization error page when OIDCUnAutzAction auth setting.
I think these are probably bugs, can you comment? (This issue seems to be similar to Issue #467)

Problems:

The HTTP header and body part when the authorization error occurs is duplicated(mod_auth_openidc authorization error 200 page + apache 401 error page), and the Content-length is only the size of the first half of the content.(See Network capture)
The HTTP header shows 200 status, but Apache's access_log shows 401 status, and the content is outputted to pages with 401 error.(See access_log and Network capture)
Since the Content-length does not match the actual body size, the meta-tag location change may not work properly when passing through some load balancers (ELB) using Chrome etc.

My environments:

  • OS: CentOS 7(7.8.2003)
  • Keycloak: 6.0.1
  • Apache : httpd-2.4.6-93.el7.centos.x86_64
  • mod_auth_openidc : mod_auth_openidc-2.4.3-1.el7.x86_64.rpm

How to reproduce:

  1. Login to Keycloak(ex. Keycloak user account page etc)
  2. Access http://service.example.com/ in mod_auth_openidc ("acr" claim becomes "0" at here after authorization cod flow).
  3. Go to http://service.example.com/secure/ in mod_auth_openidc.
  4. Authorization error occurred(!!! Here's the problem !!!).

Configuration:

<VirtualHost *:80>

    ErrorLog "/var/log/httpd/service.example.com/error_log"
    TransferLog "/var/log/httpd/service.example.com/access_log"

    DocumentRoot /var/www/html

    ServerName service.example.com

    OIDCResponseType code
    OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
    OIDCRemoteUserClaim preferred_username
    OIDCProviderMetadataURL https://kc-server.example.com:443/auth/realms/demo/.well-known/openid-configuration

    OIDCClientID service
    OIDCClientSecret 08e95831-9807-40dd-9d3f-dc4ace337389
    OIDCRedirectURI http://service.example.com/callback

    <Location />
        AuthType openid-connect
        Require valid-user
    </Location>

    <Location /secure/>
        AuthType openid-connect
        <RequireAll>
            Require valid-user
            Require claim acr:1
        </RequireAll>
        OIDCUnAuthAction auth
        OIDCUnAutzAction auth
        OIDCPathAuthRequestParams prompt=login&acr_values=1
    </Location>

</VirtualHost>

access_log(when authorization error):

192.178.185.145 - test001 [21/Aug/2020:13:57:14 +0900] "GET /secure/ HTTP/1.1" 401 988

Network capture(when authorization error):

wiresharck_capture
@zandbelt
Copy link
Member Author

I'm not sure how to solve this: ideally we'd prevent Apache from sending its own HTML content on 401's

zandbelt added a commit that referenced this issue Jun 1, 2021
@zandbelt
fix double HTML inclusion on state timeout HTML error page
2def2c4 
see also f5959d7 and #484; at least
Debian Buster Apache 2.4 was affected

Signed-off-by: Hans Zandbelt <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zandbelt